[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4719) Support for running slapadd/slapindex as a user

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4719) Support for running slapadd/slapindex as a user
From: bgmilne@staff.telkomsa.net
Date: Wed, 25 Oct 2006 06:46:41 GMT

--nextPart6645744.gz20WZ6vTg
Content-Type: text/plain;
  charset="iso-8859-6"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Tuesday 24 October 2006 21:00, quanah@stanford.edu wrote:
> --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt@OpenLDAP.org wrote:
> > At 11:48 AM 10/24/2006, ando@sys-net.it wrote:
> >> quanah@stanford.edu wrote:
> >>> It would be nice if you could pass -u and -g options to run as another
> >>> user/group so that on systems where OpenLDAP is running as another us=
er
> >>> or group, the files created by slapadd & slapindex have the correct
> >>> ownerships (rather than root, for example).
> >>
> >> OK for slapadd; for slapindex and other tools, what about using
> >> user/group info from the file(s) itself?
> >
> > Why not just use su(1)?  the only reason slapd(8) has -u/-g options
> > is because it changes root after some initialization.
>
> Because some people are brain dead, and because other people set up
> application accounts that don't actually have a shell.

And some brain-dead OS's have an su without a -s flag ?

> It also makes=20
> things more consistent behavior wise.  I personally don't have this issue
> because I run openldap as root anyway, but I've seen list traffic about
> this on more than one occasion, and am seeing people hit it on the debian
> openldap list as well.

Debian doesn't have a brain-dead su, so 'su -s /bin/bash -c "slapadd ...."'=
=20
etc. is feasible.

One of my colleagues has a sticker on his monitor which says:
Social Engineering Specialist: because there is no patch for stupidity.

I haven't seen the need for this myself (but then I don't use back-config, =
and=20
my initscript parses slapd.conf to find all database directories, and check=
s=20
ownership on all of them).

Regards,
Buchan

=2D-=20
Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

--nextPart6645744.gz20WZ6vTg
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBFPwhOrJK6UGDSBKcRApYPAKCecAu2I8CXqMin3Uz9a1MQv8cUEgCfZFPm
TLqaOhPzhqr0KV8Y0W7fNR4=
=93Bl
-----END PGP SIGNATURE-----

--nextPart6645744.gz20WZ6vTg--

Prev by Date: Re: (ITS#4719) Support for running slapadd/slapindex as a user
Next by Date: (ITS#4720) hdb deadlock
Index(es):
- Chronological
- Thread